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Abstract: In 2016, the National Institute of Standards and Technology (NIST) announced an open 
competition with the goal of finding and standardizing suitable algorithms for quantum-resistant 
cryptography. This study presents a detailed, mathematically oriented overview of the round-three 
finalists of NIST’s post-quantum cryptography standardization consisting of the lattice-based key 
encapsulation mechanisms (KEMs) CRYSTALS-Kyber, NTRU and SABER; the code-based KEM 
Classic McEliece; the lattice-based signature schemes CRYSTALS-Dilithium and FALCON; and the 
multivariate-based signature scheme Rainbow. The above-cited algorithm descriptions are precise 
technical specifications intended for cryptographic experts. Nevertheless, the documents are not 
well-suited for a general interested mathematical audience. Therefore, the main focus is put on the 
algorithms’ corresponding algebraic foundations, in particular LWE problems, NTRU lattices, linear 
codes and multivariate equation systems with the aim of fostering a broader understanding of the 
mathematical concepts behind post-quantum cryptography. 


Keywords: post-quantum cryptography; lattices; learning with errors; linear codes; multivariate 
cryptography; Kyber; Saber; Dilithium; NTRU; Falcon; Classic McEliece; Rainbow; NIST 
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1. Introduction 


In recent years, significant progress in researching and building quantum computers 
has been made. The existence of such computers threatens the security of many modern 
cryptographic systems. This affects, in particular, asymmetric cryptography, i.e., KEMs 
and digital signatures. By leveraging Shor’s quantum algorithm to find the period of a 
function in a large group, a quantum computer can solve a distinct set of mathematical 
problems. In particular, this includes integer factorization and the discrete logarithm, which 
are the basis for a wide range of cryptographic schemes. Therefore, a fully fledged quantum 
computer would be able to efficiently break the security of many modern cryptosystems. 
To defend against this threat, the need for novel mathematical problems which are resistant 
to Shor’s algorithm arises. Such problems are thereby promising candidates to withstand 
the superior computing possibilities of quantum computers. 

In 2016, NIST announced an open competition with the goal of finding and standard- 
izing suitable algorithms for quantum-resistant cryptography. The standardization effort 
by NIST is aimed at KEMs and digital signatures [1]. This process is currently in its third 
round of candidate selection (April 2022). 

At this point, the submitted algorithms are complex technical specifications without a 
presentation of the underlying mathematical fundamentals and therefore do not allow an 
easy access to these novel post-quantum algorithm approaches. As some of these algorithms 
will probably become widely used in industrial areas very soon, it is vital to foster a broad 
understanding of these mathematical concepts. In this document, we therefore address 
the described lack of educational presentation. As we do not intend to give a detailed 
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comparison of the presented methods and their performance in practice, we would like to 
refer to the post-quantum database PQDB [2]. This website is an internal project within 
Fraunhofer AISEC and aims to provide an up-to-date overview of implementation details 
and performance measurements of post-quantum secure cryptographic schemes according 
to available research. 

In the following sections, the round-three finalists of NIST’s competition are presented, 
and their mathematical details and properties are outlined. For a quick access to any of 
these algorithms, we have structured the document in separate parts containing distinct 
mathematical concepts, which thereby offer independent readability. These concepts 
correspond to the algorithms’ respective algebraic foundations, which are LWE problems 
as well as NTRU lattices in Section 2, linear codes in Section 3 and multivariate equation 
systems in Section 4. 


2. Lattice-Based Cryptography 
2.1. Lattice Fundamentals 

The cryptographic interest in lattices mainly arises from the fact that a given lattice 
L can have widely different bases. While a good basis can simplify some computational 
tasks significantly, a bad basis can make them almost impossible. In this section, we will 
give a short introduction to the fundamental mathematics and the two most important 
computational problems of lattices. 


2.1.1. Lattices 


Definition 1 (lattice, basis). Let B = {b1,b2,...,bm} be a set of linearly independent vectors of 
R”. Then, the set of all integer linear combinations 


L(B) = {Sat | 4i E z) cC R” 
i 


is called a lattice in R” generated by B. We furthermore refer to {b1, bz, ..., bm} as a basis of the 
lattice L. 


An example of a lattice with corresponding basis is shown in Figure 1. We can 
equivalently generate L via a matrix B containing the basis vectors as column vectors. 


oe 
ao a” b oe 


Figure 1. A 2-dimensional lattice. 


Definition 2 (lattice, rank, dimension, full-rank lattice). Let {b1, b2, ..., bm} be a set of linearly 
independent vectors of IR". Let B be the n x m matrix with column vectors by,..., bm. Then: 


L(B) = {Bx | x € Z"} 


is called lattice in R” generated by B. We call m the rank and n the dimension of the lattice. 
For m equals n, the lattice is called the full-rank lattice. 
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Observe that the basis underlying a lattice L is not unique. Observe that the lattice 


generated by the vectors 
O\ A 
1)’ \0 
is ZÊ, the set of all integer points. Z? is also generated by the vectors 


9-6) 


Figure 2 also illustrates this fact. On the other hand, n linearly independent vectors in Z” 
are not necessarily a basis of Z”. As an example, observe that the modified vectors from 


the example above 
2\ A 
0oy U 


do not form a basis of Z2. 


Figure 2. Two-dimensional lattice with a reduced (good) basis {b}, b } and a bad basis {b;, b2}. 


2.1.2. Computational Lattice Problems 


The particular structure of lattices allows them to have special mathematical properties. 
The following computations can be efficiently evaluated using linear algebra algorithms: 


e Let 94,...,2% E R” be a set of vectors generating the lattice L. Calculate a basis 
bı, -bm € R” of L. 
e Let L bea lattice. Evaluate whether a given vector c is an element of L. 


Other computational lattice problems appear to be generally hard and are - as indicated 
in the introduction - even believed to be resistant against Shor’s algorithm. Therefore, they 
are interesting candidates for usage in post-quantum-cryptography. These problems are 
presented in the following. 


Shortest Vector Problem 

Let L be a lattice with some basis B € R”*” and || - || some norm. Let A(L) be the 
length of the shortest nonzero vector in L. The task of finding / € L such that ||/|| = A(L), 
i.e., finding any shortest vector of L, is called the shortest vector problem (SVP). Figure 3 
illustrates such a shortest vector in a lattice. 
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Figure 3. Two-dimensional lattice with basis {b1, b2} and shortest vector £. 


2.1.3. Closest Vector Problem 


Let L be a lattice with some basis B € R”*” and || - || some norm. Given q € R”, 
the task of finding l € L such that ||! — q|| is minimal, i.e., find the lattice vector | closest to 
a given arbitrary vector, is called the closest vector problem (CVP). Figure 4 illustrates a 
random point with its corresponding closest lattice vector. 


Figure 4. Two-dimensional lattice with £ as closest vector to point q. 


2.2. Cryptography Based on Learning with Errors (LWE) 
2.2.1. LWE Fundamentals 
Learning with Errors 
Let Z4 = Z/qZ be the ring of integers modulo q. We can naturally form a linear 
equation system 
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Then, the associated equations look like: 


10-5, +3-s2 
4-s,;+1-5s9 


5-s3+1-s4 = 10 
1-sg3+2-sg=3 


3-8, +1-59+1-534+5-5,=8 


Solving this equation system can be efficiently realized using the Gaussian algorithm. 
However, adding even only small error values e € Z; to the equation system yields: 


A-ste=b , 


which renders solving the equation system and retrieving the solution vector s surprisingly 
hard. This fact is founded in the relation to the hard lattice problems described above, 
which is presented in a nutshell below. 


Decisional LWE 


The LWE problem can also be rephrased as a decision problem, usually abbreviated 
dLWE. Given an LWE sample (A,b) as defined above (s and e are kept secret), the task 
is to guess whether the values of b have been calculated as A -s +e with small error 
values e, or whether they have been chosen arbitrarily. Both variants are equivalently hard. 
The reduction from LWE to dLWE has been proven by Regev ([3], Lemma 4.2), the inverse 
reduction from dLWE to LWE is trivial. 


Linking LWE to Computational Lattice Problems 
Consider an LWE problem of the form: 


A-ste=b , 


where A € Zg", be Zi and small vectors s € Zar ec Zg- It is straightforward to solve 
a concrete LWE instance by solving the closest vector problem. Observe that the closest 
vector to b is almost always the lattice vector A - s with distance e. 

To give an intuition of the relationship between learning with errors and the shortest 


vector problem, consider the following lattice: 
L= {x € Z" | (A || I || (=b)):x=0 modq} , 


where the ’||’ operator denotes concatenation and I, denotes the n x n identity matrix. It 
can be observed that the column vector (s,e, 1) is an element of L by verifying that 


s 
(A I, —b)- {e| =A-s+e—b=b—b=0modq 
1 


holds. It can be shown that the vector (s,e, 1) is actually a shortest vector in L and therefore 
is an SVP solution for L. This means retrieving the vector (s,e,1) directly yields the secret s 
as well as the error vector e and therefore solves the LWE system. 


LWE-Based Encryption Schemes 


This section aims to serve as a high-level introduction to LWE-based encryption 
schemes, so that their basic idea can be easily understood. The following simplified 
example will only be used to transmit a message consisting of a single bit, but it can be 
trivially extended to transmit a bitstring of any desired length. 

Consider an LWE instance A-s +e = b, where A € Z/'*" is chosen uniformly random 
ands € Zi ande € Zi are chosen from an error distribution, i.e., their values are rather 
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small. Let us assume the values A and b are public while the corresponding values s and e 
are kept secret. The LWE problem then states that it is hard to calculate s or e. 

To build the actual encryption scheme, we will randomly sample the additional values 
re Zi as well as errors e; € Zr and e2 € Zq. With that, we construct the equation system: 


u=Al-r+e, € ZF 
v=b -r+ e E€ Zq , 


which can be equivalently represented as: 


in a compact form. 

It is then easy to see that this is also another instance of the LWE problem. With knowl- 
edge of (A, b, u, v), itis hard to calculate any of the other values. Furthermore, the decisional 
LWE problem states that it is even hard to differentiate between the values u,v calculated 
in the method described above and u,v’ with some arbitrary value v’. This is a core part of 
our encryption system. 

For now, let us assume we would just send (u, v) back to the recipient, who (knowing 
s) could then calculate the value sT -u = sT . (AT -r +e). Taking into account that 
the error values are relatively small, we observe that sT -u ~ sT . AT - r and also that 
v=b!.r +e, ~b! .ra (A-s)! -r= s". AT .r. Thus, neglecting the error values, we find 
that sT -u x v. 

This means we have found a way to indirectly transmit about the same value in two 
separate ways, and we have done so unnoticed by a third person: without knowledge of s, 
it cannot be deduced how close exactly these values are to each other (ALWE assumption). 

The trick is to hide the message in one of these values. When the message is 0, we 
will just transmit v’ = v. However, in case it is 1, we will transmit v’ = v + q/2 (remember 
that we are operating on Z4, so this is the value “opposite” to 0). The receiver can then 
calculate u = v’ — s7 - u. If u is close to zero (mod q), the message was 0; if it is closer to 
q/2, the message was 1. 

Let us summarize the process more formally. Let round,,(-) denote rounding to the 
nearest multiple of n. For a one-bit message encoded as u € {0, |q/2] }, the ciphertext is 
(u,v') with 


u=Al-r+ e1 
v =b .r+e+y , 
from which the receiver can calculate: 


round | 9/2) (0 -sT . u) 

= round | 4/2) br +e, +u-—s'(ATr+e1)) 
(As +e)Tr +e +p-—s"A"r-— se) 
(A Trpel r+e,+yu-— (As)!r— s"e1) 


+e Ty +e — sTe1) 


= round |, /2| 


= round |, /2| 


( 
( 
( 
= round 4/2) (4 
=qų. 


For the last equality to hold (and thus, the decryption to succeed), we need the overall 
effect of the error term (eTr + e2 — s'e,) to stay below q/4. In practice, all candidate 
schemes use an error distribution and a modulus q where this is not always the case in 
order to have reasonable ciphertext sizes. The failure probability in all cases is extremely 
small, so it is usually negligible in practice. However, care must be taken that attackers 
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cannot learn anything about the secret key by intentionally crafting ciphertexts that cause 
decryption failures. 


Flavors of LWE: Ring-LWE and Module-LWE 


The sample cryptosystem described above can be trivially extended to encapsulate 
bitstrings of a fixed length £ by running the same protocol £ times in parallel. In contrast to 
the flavors described below, this approach is called Plain LWE (note that even though Z, 
is a ring, the term Ring-LWE refers to another approach, see below). A production-ready 
scheme that uses Plain LWE is Frodo [4]. Because of its simplicity it is considered to have 
the least potential for attacks. However, this is paid for by communication costs about 
15 times higher than with Ring-LWE or Module-LWE. The comparison of Frodo’s public 
key and ciphertext size to the respective sizes of Kyber and Saber shows this fact. Because 
of the relatively bad performance, it is not among the NIST standardization finalists (but 
included as an alternate candidate) and is thus not included in this report. Other variants 
of LWE can be created by exchanging the underlying algebraic structure. Various flavors 
have been researched, and we will detail the relevant ones in the following. 

Ring-LWE was first proposed by Vadim Lyubashevsky, Chris Peikert and Oded Regev 
in 2010 [5]. Calculations take place in a polynomial ring R4 := Z,[x|/ f(x) for some poly- 
nomial f(x). Therefore, polynomial multiplication is used instead of matrix multiplication. 

Module-LWE is a variant that further improves Ring-LWE and was proposed by 
Adeline Langlois and Damien Stehlé in 2012 [6]. It uses the exact same structure as the 
sample system detailed above, but the scalars are replaced by ring elements of Ry, as 
defined in the previous paragraph. Consequently, vectors become elements of so-called 
modules, which are a generalization of vector spaces over rings, hence the name (see Table 1 
for a comparison). 

Most early practical implementations of LWE-based cryptography, such as the 
NewHope scheme [7], use Ring-LWE. However, it was shown that Ring-LWE possibly 
provides more attack surface, so that a Ring-LWE scheme is at most as secure as an equally 
parameterized Module-LWE scheme [8]. For that reason, NIST has decided not to consider 
Ring-LWE schemes in the third round. 


Table 1. Comparison of algebraic structures used in LWE variants. 


Plain LWE Ring-LWE Module-LWE 
A Zy" Zalx]/f (Zalx]/ f)" 
. matrix mult. polynomial mult. matrix mult. 
s Zi Zq|x]/f (Zaq[x]/f)™ 
be Zi? Zaq(x]/f (Zaqlx]/f)" 


Learning with Rounding 


The learning with rounding (LWR) problem is a variant of the LWE problem. Consider 
a single line of the LWE problem As +e = b, where A € Zj*" is chosen uniformly and 
se Zr and e € Zi from a small error distribution, i.e., 


(As) + ep = (ak1 ` 51 +- + Akm ` Sm) + ek = br. 


Instead of sampling and adding a random small error e;, noise is added to the equation 
by simple rounding. In this case, that means defining a rounding function |-|, : Z4 + Zp 
for some p < q dividing Z, into p roughly same-sized intervals and mapping an element in 
Zq to the index of its corresponding interval. For example, when p and q are both powers 
of 2, rounding simplifies to mapping an element to its log) (p) most significant bits. 

This rounding function can be extended to vectors in Zi by component-wise rounding, 
i.e., rounding each (As), separately. Counter-intuitively, although the noise in LWR is 
deterministically computed, it is computationally as difficult as solving LWE, i.e., deriving 
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s from A and |A-s]» is hard [9]. Just as in the LWE case, variants of LWR can be created 
by exchanging the underlying structure. For example, the scheme Saber uses Module-LWR. 


2.2.2. Kyber 


Kyber [10] is a CCA-secure KEM derived from a CPA-secure public-key encryp- 
tion (PKE) scheme based on Module-LWE. For n,q € N, the underlying ring is Rg = 
Zq|X| / (X" +1), i.e., the ring of polynomials up to degree n — 1 with coefficients in Z,. 
The corresponding module is RE with rank k € N. 

The following primitives are required: a noise space B, where sampling a value from 
B yields a random small integer value in the range {—4, ..., 4}. Additionally, for the KEM 
construction, secure hash functions H1, H and a secure key derivation function KDF 
are required. 

Internally, the plaintext encrypted by Kyber is a ring element r € Ry. Therefore, 
the input bitstring m € {0,1}? is converted to a ring element r = toRing(m), i.e., a 
polynomial, as follows: 


0 0 

0 0 

toRing [2] 224. 0+0 x4 1 32 0 ght yn 
; 2 2 

0 0 

i H 


It can already be observed that even after having added a vector with small coefficients 
the original polynomial can easily be reconstructed. The reverse operation fromRing 
reconstructs a bitstring from a given ring element through coefficient-wise division by 4 
and subsequent rounding. The Kyber specification introduces encoding and compression 
functions, which we have simplified to the toRing and fromRing functions to increase 
readability and understanding. 

Analogously to the general LWE-based encryption scheme described in Section 2.2, 
the Kyber key generation (Algorithm 1) instantiates a particular LWE problem, As +e = b, 
by generating coefficients A for the linear equation system and sampling a solution vector 
s as well as an error vector e. 


Algorithm 1 Kyber PKE Key Generation: keyGen. 
Input: none 

1. Generate A € REX 

2. Samples € RI with coefficients from B 


3. Samplee € Ri with coefficients from B 
4. Calculate b = As +e 
Output: public key pk = (A,b), secret key s 


The solution vector s functions as the secret key, while A and the vector b = As +e 
are used as the public key. Calculating s from the public key would be identical to solving 
an instance of the LWE problem. 

The Kyber PKE encryption (Algorithm 2) looks similar to the LWE-based encryption 
scheme introduced in Section 2.2 expanded to a Module-LWE setting. 
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Algorithm 2 Kyber PKE Encryption: enc, 


Input: public key pk = (A, b), message m € {0,1}?°° 
Sampler € RI with coefficients from B 

Sample e1 € RE with coefficients from B 
Sample e2 € Rq with coefficients from B 
Calculate u = ATr + e 

. Calculate v = br + e3 + toRing(m) 

Output: ciphertext c = (u,v) 


Oe a cae Sa 


With knowledge of the secret value s, the reconstruction of the message m is possible 
through the corresponding Kyber PKE decryption routine (Algorithm 3). 


Algorithm 3 Kyber PKE Decryption: dec 


Input: secret key s, ciphertext c = (u,v) 
T 


1. Calculate m* = v — s* u 


Output: message m = fromRing(m*) 


Applying the operation fromRing(m*) reconstructs the original m with very high 
probability. Indeed, the Kyber encryption scheme is a probabilistic algorithm returning the 
original message m with very high probability (see Table 2 for concrete failure probability 
values), depending on the amount of noise within the sampled vectors. 

To construct a CCA-secure KEM from the given PKE, a variant of the Fujisaki-Okamoto 
transformation (FO-transformation) is used. Fujisaki and Okamoto [11] presented the first 
generic transformation from asymmetric and symmetric encryption schemes to a secure 
hybrid encryption scheme. Later, Hofheinz, Hövelmanns and Kiltz [12] extended the 
work of Fujisaki and Okamoto and presented a generic transformation toolkit, including a 
transformation of a PKE scheme into a secure KEM. Algorithm 4 shows the Kyber KEM 
key generation. 


Algorithm 4 Kyber KEM Key Generation. 
Input: none 


1. Generate g € {0,1} 
2. Generate (pk,s) = PKE.keyGen() 


Output: public key pk, secret key sk = (s, 0) 


In the KEM encapsulation (Algorithm 5), observe that the value r is used in the 
underlying PKE as a seed for the generation of the otherwise random values during 
encryption. Although a deterministic public key encryption algorithm is usually not 
desirable, for a KEM, the receiver needs to be able to repeat the encryption procedure in 
the same way as the sender. We denote the deterministic version of the encryption routine 
with given seed r by PKE.enc;(pk,m). Furthermore, the message m is hashed before being 
fed to the PKE encryption routine. 


Algorithm 5 Kyber KEM Encapsulation. 
Input: public key pk 


1. Generate message m € {0,1} 

2. Calculate (K’,r) = H,(H2(m) || H2(pk)) 
3. Calculate c = PKE.enc,(pk, H2(m)) 

4. Calculate K = KDF(K’ || H(c)) 


Output: encapsulation c, shared secret K 
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The decapsulation routine (Algorithm 6) calculates the required values analogously to 
the encapsulation routine. 


Algorithm 6 Kyber KEM Decapsulation. 
Input: public key pk, secret key sk = (s,a), encapsulation c 


Calculate Hm = PKE.dec(s,c) 
Calculate (K',r') = Hi (Hm || H2(pk)) 
Calculate c’ = PKE.enc,: (pk, Hm) 

Ifc = c' set K = KDF(K’ || H(c)) 

. Ifc €c! set K = KDEF(0 || Ho(c)) 


Output: shared secret K 


O H> a 


To gain some intuition of how ciphertext validation in Kyber works, have a look at 
the decryption process as described in detail in Section 2.2. In the Kyber PKE scheme, 
the message m is embedded within the difference of the vectors v and sTu, i.e., 


T 


v—s! -u = toRing(m) + (e'r + ez — s" 


a), 
where e, e1, e2 are random error vectors. There are a lot of different combinations of values of 
these error terms that all correspond to the same m. In the KEM, however, the randomness 
becomes deterministic by deriving it from a chosen r, so there is a unique set of values 
(e,e1,e2) for each m. This property establishes the required CCA-security of the KEM. 
When an adversary sends a random ciphertext to the decapsulation routine, it will always 
decipher to a message m, but the probability that the adversary has chosen the specific 
ciphertext (generated by the correct “random” terms) corresponding to m is negligible. 
The Kyber instances with their corresponding parameter choices are shown in Table 2. 


Table 2. Kyber parameter sets with corresponding decryption failure probability ô. 


n k q ô 
Kyber512 256 2 3329 27139 
Kyber768 256 3 3329 2104 
Kyber1024 256 4 3329 9174 


2.2.3. Saber 


Saber [13] is a CCA-secure KEM derived from a CPA-secure PKE based on Module- 
LWR. For n, g € N, the underlying ring is Ra = Z4[X]/ (X" +1), i.e., the ring of polynomials 
up to degree n — 1 with coefficients in Z4. The corresponding module is Ri with rank 
keEN. 

The following primitives are required: a noise space B, where sampling a value from 
B yields a random small integer value in the range {—5,...,5}. Additionally, for the KEM 
construction, secure hash functions H4, Hz, H3 and a secure key derivation function KDF 
are required. 

Saber’s rounding function does not strictly round down, as we have seen in the general 
case of LWR in Section 2.2; instead, it rounds to the median of each of the p intervals. (This 
is basically just the most naive approach for rounding.) This is implemented by adding 
half of the interval’s length h ~ 5 and subsequently rounding down, i.e., 


Lx]p:= |x +h]p. 


To implement that efficiently, Saber only uses powers of 2 for the parameters q and p. This 
simplifies rounding to an addition followed by a bitwise shift. 
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Like Kyber, the Saber PKE (Algorithms 7-9) is based on the classic LWE-based encryp- 
tion scheme introduced in Section 2.2. However, error addition is replaced by rounding. 
This is the only difference to the Kyber PKE presented in Section 2.2.2. 


Algorithm 7 Saber PKE Key Generation: keyGen. 
Input: none 

1. Generate A € iS 

2. Samples € Ra with coefficients from B 

3. Calculate b = |As|, 

Output: public key pk = (A,b), secret key s 


Algorithm 8 Saber PKE Encryption: enc 


Input: public key pk = (A,b), message m € {0,1}7°6 
1. Sampler € RI with coefficients from B 

2. Calculate u = | Ar], 

3. Calculate v = |b’r + toRing(m) |p 

Output: ciphertext c = (u,v) 


Algorithm 9 Saber PKE Decryption: dec 


Input: secret key s, ciphertext c = (u,v) 
T 


1. Calculate m* = v — s* u 


Output: message m = fromRing(m*) 


Analogously to Kyber, to construct a CCA-secure KEM from the given PKE, a variant 
of the FO-transformation is used. In fact, the key generation algorithm (Algorithm 10) is 
completely identical. 


Algorithm 10 Saber KEM Key Generation. 
Input: none 


1. Generate a € {0,1}7°° 
2. Generate (pk,s) = PKE.keyGen() 


Output: public key pk, secret key sk = (s,c) 


Again, the KEM construction (Algorithms 11 and 12) is very similar to Kyber. The only 
structural difference is the absent additional hash function used on the message m. 


Algorithm 11 Saber KEM Encapsulation. 
Input: public key pk 


1. Generate message m € {0,1}? 

2. Calculate (K’,r) = Hp(H;(pk) || m) 
3. Calculate c = PKE.enc;(pk,m) 

4. Calculate K = H3(K’ || c) 


Output: encapsulation c, shared secret K 
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Algorithm 12 Saber KEM Decapsulation. 
Input: public key pk, secret key sk = (s,a), encapsulation c 


Calculate m’ = PKE.dec(sk,c) 
Calculate (K',r') = H (Hı (pk) || m’) 
Calculate c' = PKE.enc„ (pk, m') 

Ifc = c' set K = H3(K’ || c) 

. Ifc €c! set K = H3(0 || c) 

Output: shared secret K 


SE ae oe 


The Saber instances with their corresponding parameter choices are shown in Table 3. 


Table 3. Saber parameter sets with corresponding decryption failure probability ô. 


n k q p ô 
LightSaber 256 2 213 210 P 
Saber 256 3 213 210 27136 
FireSaber 256 4 213 210 27165 


2.2.4. Dilithium 

Dilithium [14] is a signature scheme based on Module-LWE. For n,q € N, the un- 
derlying ring is Rg = Z4[X] / (X" +1), i.e., the ring of polynomials up to degree n — 1 
with coefficients in Z4. The corresponding module is RI with rank 1 € N. Additionally, 
Dilithium requires a secure hash function H. 

The key generation (Algorithm 13) is almost identical to Kyber’s key generation. An 
LWE instance is generated, i.e., a matrix A € REXI with k € N, a secret vector s € Ri and 
an error term e € RE. As usual, A and b are public, while s is kept private. 


Algorithm 13 Dilithium Key Generation: keyGen. 


Input: none 

1. Generate A € Ria 

2. Samples € R! with small coefficients 
3. Samplee € RI with small coefficients 
4. Calculate b = As +e 

Output: public key pk = (A, b), secret key s 


Dilithium’s signing process (Algorithm 14) is probabilistic. In the first step, a random 
vector y € R! is sampled. As we will see in the verification process, to achieve correctness, 
we will use the rounded version of Ay by means of a function round (). This function takes a 
given vector of polynomials and rounds each coefficient of every polynomial. The signature 
is formed by calculating a pair (z, c), where c is formed by hashing the message m and the 
value round(Ay). The hash function H maps an input to a polynomial with coefficients in 
{-1,0,1}. 

Due to the fact that z depending on the secret key, s potentially leads to serious 
security issues, and z is not output directly. Instead, in order to remove the statistical 
dependencies between z and s, Dilithium follows a so-called rejection sampling approach. 
For the details of rejection sampling, we refer to [15,16]. In case z is rendered invalid 
(‘rejected’), the algorithm restarts from step 1. 
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Algorithm 14 Dilithium Signature generation. 


Input: public key pk = (A,b), secret key s, message m € {0,1}* 
Until z is valid: 
1. Sample y € RI with small coefficients 


2. Calculate w = round (Ay) 
3. Calculate c = H(m || w) 
4. Calculate z = y + cs 


Output: signature 7 = (z,c) 


Given a correct signature g, it is possible to recover w using the following calculation: 


round(Az — bc) = round(A(y + cs) — (As +e)c) 
= round(Ay + Acs — Acs — ce) 
= round(Ay — ce) 


= WwW 


To indeed recover w, the last step requires round(Ay — ce) = round(Ay). Since c 
and e both have small coefficients, their product ce does not influence the outcome of 
the rounding. In order to verify the signature, we can use a recovered w’ to recalculate 
c' = H(m || w’) and compare it to the provided signature value c (Algorithm 15). Observe 
that if z has not been calculated by using the secret key s, i.e., by z = y + cs, the terms Acs 
would not cancel in the equation above leading to an incorrect w’ # w. Hence, the value c’ 
would be incorrect as well leading to a rejection of the provided signature. 


Algorithm 15 Dilithium Verification. 

Input: public key pk = (A,b), message m € {0,1}*, signature 7 = (z,c) 
1. Calculate w’ = round(Az — bc) 

2. Calculate c’ = H(m || w’) 


Output: valid if c = c’, else invalid 


The Dilithium instances with their corresponding parameter choices are shown in 
Table 4. 


Table 4. Dilithium parameter sets for NIST security levels 2, 3 and 5 with corresponding expected 
number of needed repetitions #reps of signature generation. 


n (kD) q #reps 
Dilithium 2 256 (4,4) 8380417 4.25 
Dilithium 3 256 (6,5) 8380417 5.1 
Dilithium 5 256 (8,7) 8380417 3.85 


2.3. NT RU-Based Cryptography 
2.3.1. NTRU Fundamentals 
The NTRU Assumption 


NTRU is a lattice-based cryptosystem, which was first developed by Hoffstein, Pipher 
and Silverman in 1996. It originates from the two well-known schemes NTRUEncrypt and 
NTRUSign. For its abbreviation, “NTRU”, one can find multiple explanation attempts, 
for example: n-th degree truncated polynomial ring or ‘number theorists r us’. As the 
former indicates, NTRU’s operations take place in the ring of truncated polynomials 
Rq = Zq [X] /(X" — 1), where n and q are two positive coprime integers and Zq = Z/qZ 
denotes the ring of integers modulo q. Therefore, R4 is the ring of all polynomials of degree 
< n with coefficients in Z4. 
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Similar to RSA, where it cannot be proven that breaking RSA is as hard as integer 


factorization, the security of NTRU underlies just a hardness assumption. Let the notation R 
denote congruence in the ring R. The so-called NTRU assumption states that the following 
task is difficult to solve: 

Given h € Rq, find ternary polynomials f, g € Z3[X]/(X" — 1) (a ternary polynomial 
has coefficients in Z3) such that 


Ra 
f:h=g. 
Later, we will see that this can actually be solved as a shortest vector problem. 


NTRU-Based Encryption Schemes 


This section will provide an overview of the main theory used to build NTRU cryp- 
tosystems. To build a cryptosystem around the NTRU assumption, we need two primes, 
n and p, as well as an integer, q, which is coprime to both. Furthermore, p is significantly 
smaller than q; in our case, we always have p = 3. These integers will define the rings 


Raq = Zq(X]/(X"-1) Rp = Zp[X]/(X* - 1) = Rg = Za[X]/(X"—-1) , 


in which the operations take place. 
In the first step, we sample two ternary polynomials f,g € R3, where f needs to be 
invertible in R3 and R4. Then, we need to calculate said inverses: 


fa =f ER far=f ER 


While f4 is used to calculate the public key: 


Ra 
h = fos 


f and f3 serve as the secret key. It is now easy to see that deriving the secret key from 
the public key provides a solution to the NTRU assumption. 

To now encrypt a message m € R3, we need another random ternary polynomial 
r € R3 and calculate the ciphertext as: 


Rq 
c=p-r-h+m=3-r-h+m 


The r ensures that encryption is not deterministic, while multiplication by 3 enables 
correct decryption, as we are about to see. 
The decryption process then consists of two steps. First, we calculate: 


a=fec 
=f-(3-r-h+m) 
=f- fy ote 24 f° m 


Ra 
=3-r-get+fem 


The second step is calculated in #3, which ensures that the first term of a vanishes. 
Multiplying by f3 then leads to the original message m: 


ft = forts g fom) 
R3 
=m 
The attentive reader might ask why the condition p < q is obligatory, and indeed, this 
is not clearly evident. The problem lies in the transition between R, and Rp. It is vital for 
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flawless decryption that a = p-r- g + f -m does not only hold true in R, but also in Z[X]. 
To be more precise, if the coefficients of p -r - g + f -m become a reduced mod q, a reduction 
mod p would not yield m. 

In conclusion, the correctness is assured if this calculation yields a polynomial of 
degree < n and coefficients < q. Since r,g, f,m € Rp have small coefficients, it is sufficient 
to require p < q. 

Another observable fact is that the decryption process also establishes the possibility 
to obtain the message m without the knowledge of f. Indeed (according to the NTRU 
assumption), it is sufficient for an adversary to find any ternary polynomial f such that 
f -his again ternary modulo q, since this still ensures that f - c does not become reduced 
modulo q and the subsequent reduction modulo p would yield m. The authors showed 
in [17] that in all likelihood the only polynomials with this property are just rotations of f 
(i.e., polynomials obtained by cyclically rotating the coefficients of f). 


Linking NTRU to Computational Lattice Problems 
To get an idea of the connection between lattices and NTRU, consider the lattice: 
Rg 
L={(u,v) E Rg xX Rqg|u-h=v)}. 


consisting of every possible solution for a fixed NTRU assumption given h € Ry. 
In the following, all calculations are reduced modulo (X” — 1), and we therefore write 
u-h =v mod q. To find a basis of £, observe that every (u,v) € £ equivalently fulfills: 


u-h—k-q=v 


for some k € Ry. This can be rewritten as: 


u\ (1 0\) fu 

v) A q —k 
in an equivalent form. Using the coefficients of u = ary ujx!,v = ae vixi, h = Eo Thx! 
and k = paar k;x!, this can be transformed into: 


ug 1 0 0 0 0 0 ug 
uy 0 1 0 0 0 0 uy 
ia) o | 0 o 1 l0 0 0 E 
v0 ho h hrq 0 ... 0 —ko 
v1 hn—1 ho h2 |0 q 0 —kı 
On-1 hy ho see ho 00... q —ky_-4 


Defining M; as the bottom-left quadrant, it is easy to see that the matrix 


( In On ) 

Mn q-lIn 

defines a basis of the lattice £. It is obvious that (f, g) € £, and since f, g € R3, it is also 
a rather short vector. Furthermore, it can be shown that with overwhelming probability 


(f, g) is indeed the shortest vector of £. Therefore, being able to solve an SVP also enables 
finding the secret key of any NTRU cryptosystem. 
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2.3.2. NTRU 


Even though the NIST round three submission of NTRU [18] is mainly based on the 
generic NTRU encryption scheme we have just seen, it contains a few major differences that 
need further explanation. The most obvious change regards the underlying polynomial 
rings. Before, we just considered the two truncated polynomial rings Ra = Z4[X]/ (X" — 1) 
and Ry = Zp[X]/(X" — 1) that were both generated by (X” — 1). Instead, we consider 
polynomial rings that are generated by the three polynomials 


d=(X-1) p=Ž $ hin = (KX"—- 1). 


To differentiate the corresponding rings, we introduce the following notation: 


RE := Z[X]/ 


For example, the formerly used R3 is now denoted as Re oe, 

The key generation (Algorithm 16) mainly consists of the same steps as in the generic 
NTRU construction. The difference is that sampling and operations take place in different 
rings and spaces. Note that g is always a multiple of ¢;. Other than that, the step of 
calculating the inverse hg is added. All these modifications aim to add another layer of 
security against forging ciphertexts, as we will see in the decryption step. 


Algorithm 16 NTRU PKE Key Generation: keyGen. 
Input: none 

1. Sample f € Re 

2. Sampleg € {~i-v|veE RI} 


3. Calculate fy = f ' E RÝ 
Pion 
4. Calculateh © Sty 


5. Calculate hg = h“! € RI” 
6. Calculate f3 = f7! € Re 
Output: public key h, secret key sk = (f, fp, hq) 


The encryption process (Algorithm 17) only differs in using a lift-function on the 
message m before encryption. Let (m- pg 1) on denote a calculation within the ring Re, 


then: 


RI 
Lift(m) = 1: (m P7 "Jpg 


R3 


It is easy to see that Lift(m) 
$1, the same is true for c. 


m. Now, as a consequence of g and 11 being multiples of 


Algorithm 17 NTRU PKE Encryption: enc. 


Input: public key h, message m € Re 
1. Calculate 1 = Lift(m) 


2. Sampler € Re 
Rien 
3. Calculatec = 3-r-h+m 


Output: ciphertext c 


The decryption differs the most compared to the general NTRU construction and there- 
fore requires further explanation. In case of a correctly encrypted message m, deciphering 
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takes place in steps 2 and 3. It is not obvious that the calculation in step 2 still yields the 
same result as in the general NTRU scheme since fj is the inverse in RË" and not in RPP, 


Using the fact that g is a multiple of ¢; and fq is the inverse of f in RE, we can 
equivalently say 


g= v for some v € RI” (1) 
f-fg=1t+k- on for some k € Z[X] (2) 


Step 2 then resolves to 


a=fec 


=f: fy 3 r g+f ñ | (2) 
=(1+k- pn) -3 r-g+f ñ | (1) 

Rien 
=3-r-g+k øn pQ v3 r+f ñ Ipin = 0 


a : 
= 3-r-e+fem 


Finally, we can obtain m in step 3 since f3 is indeed the inverse in the considered ring 
Re by calculating 


a: f3 ae tae St a fe 


RË 
= m 


Ron 
The first term vanishes since it is a multiple of 3, and as seen before, ñ = Lift(m) = 


m. 

The decryption (Algorithm 18) contains a built-in validation process, which justifies 
the additional steps. As shown later, this enables the construction of a KEM that avoids 
re-encryption (in contrast to classic FO-transformation). 

The first step validates whether or not c is a multiple of ¢1, which is true for any 
correctly generated ciphertext, as seen before. In order to verify that r is correctly sampled 
from Re (step 6 and 7) , step 4 and 5 retrieve r using c, Lift(m) and hg. If any of the 
validation steps fail, the procedure returns the error vector (0,0, 1); otherwise, (r,m,0) 
is returned. 


Algorithm 18 NTRU PKE Decryption: dec. 
Input: secret key sk = (f, fp, hq), ciphertext c 


Ry 
1. ifc Æ Oreturn (0,0,1) 
Pion 
2. Calculatea = fg 
RI" 


3. Calculate m = a- fs 
4. Calculate i = Lift(m) 


Ri i 
5. Calculater = (c— ñ) - a 


6. ifre RS return (r,m,0) 
7. else return (0,0, 1) 


Output: Correct (r,m,0) or error (0,0,1) 
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Constructing the NTRU KEM is now straightforward. The key generation (Algo- 
rithm 19) simply calls PKE.keyGen() and samples a random value g, which is later used in 
the decapsulation for implicit rejection. 


Algorithm 19 NTRU KEM Key Generation. 
Input: none 


1. Generate (h, (f, fp, hg)) = PKE.keyGen() 
2. Samples € {0,1} 
Output: public key h, secret key sk = (f, fp, hg, 0) 


Encapsulation (Algorithm 20) consists of three steps: Random sampling r, m € RË, 
generating the ciphertext using PKE.enc() and calculating the shared secret K as the hash of 
r and m with some cryptographic hash function H4. 


Algorithm 20 NTRU KEM Encapsulation. 
Input: public key h 


1. Sampler,m € Re 
2. Calculate c = PKE.enc;(h,m) 
3. K= Ayr || m) 


Output: encapsulation c, shared secret K 


Decapsulation (Algorithm 21) starts with the decryption of c using PKE.dec(). Next, 
two hashes are calculated, the correct one as a hash of r and m and a decoy as a hash of 
the sampled values s and c with some cryptographic hash function H3. In case of valid 
decryption, the former is returned; otherwise, the decoy value is returned. 


Algorithm 21 NTRU KEM Decapsulation. 
Input: secret key sk = (f, fp, hg, C), encapsulation c 


if (fail = 0) set K = kı 
. else set K = k? 


1. (r,m, fail) = PKE.dec((f, fp, hg) c) 
2. ky = Hı(r || m) 

3. ky = H2 (0 || c) 

4. 

5 


Output: shared secret K 


The NTRU submission recommends two different families of parameter sets, which 
are referred to as NTRU-HRSS and NTRU-HPS. The explanations of this section regard 
NTRU-HRSS, but the details of both can be found in the algorithm specification [18]. 


2.3.3. Falcon 


Falcon [19] is a signature scheme based on the Gentry—Peikert-Vaikuntanathan (GPV) 
signature scheme using the NTRU structure [20]. On a very high level, the underlying 
idea of the GPV framework is as follows. The public key is a full-rank matrix A € Zj;*" 
(with m > n) generating a lattice L, while the secret key is a matrix B € “Za” generating a 


corresponding lattice L}. The lattices L and Ly are orthogonal modulo q, meaning that 
Vx Ee Ly € Ly : (x,y) = 0 mod q. 
Equivalently, the rows of A and B are pairwise orthogonal, i.e., B - At = 0 mod q. 


Given a hash H(m) of some arbitrary message m and a hash-function H that maps 
onto L, a valid signature s has to fulfill two properties: 
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1. A-s=H(m) mod q; 
2. — ||s|| < 6 for some boundary £, i.e., s has to be short. 

A solution s satisfying the first property can be easily computed using standard linear 
algebra; however, additionally considering the second property, finding a valid s is much 
harder. These requirements are almost identical to the short integer solution problem (SIS), 
the only difference being that an SIS solution s fulfills A -s = 0 mod q instead. The SIS 
problem is average-case-hard and reducible to SVP [21]. 

However, with knowledge of the secret matrix B, a valid signature s can be efficiently 
computed. The first step is to find any solution s’ to the first requirement A - s’ = H(m). 
Afterwards, a sufficiently close vector v in the orthogonal lattice Ly needs to be found. 
Knowing B, this can be achieved using an efficient CVP approximation algorithm such as 
Babai’s Algorithm [22] satisfying ||s’ — v|| < 2. 

Finally, s = s’ — v forms a valid signature since A-s = A - s' — A - v = H(m) — 0 due 
to v being orthogonal to the rows of A. 

The overall framework of Falcon is quite similar to GPV and uses the basic idea of the 
NTRU scheme to generate the required lattices. Similar to NTRU, Falcon’s operations take 
place in the ring of truncated polynomials Ry = Z,[X]/(X" +1), where n and q are two 
positive coprime integers and Z, = Z/qZ denotes the ring of integers modulo q. Therefore, 
Rq is the ring of all polynomials of degree < n with coefficients in Z4. 

For the key generation (Algorithm 22) a set of four polynomials f, g € R4 and F,G € 
R = Z{x]/(X" +1) that fulfills 


fG- gF =q mod (X" +1) 


is needed. Afterwards, analogously to NTRU, we calculate h = g - f~! € Ry. From these 
polynomials, we can generate the public key matrix A € i al and the secret key matrix 
Be 72nx2n as 

q 


A=(1 h) B= (8 A , 


where every polynomial is represented as its corresponding matrix (see Section 2.3.1 for 
notation details). 
It is easy to check that 


aea E 


a a = O meas 


Algorithm 22 Falcon Key Generation. 


indeed holds. 


Input: none 

1. Sample f, g E€ Rq 

2. Find F,G € R such that f - G — g - F = q mod (X" +1) 
3. Calculate h = g - f7! 

Output: public key h, secret key sk = (f, g,F,G) 
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To make a Falcon signature probabilistic, a random r € {0,1}°?° is sampled and used 
to generate the hash c = H(r || m) with some cryptographic hash function H. Due to the 
construction of A = (1 h), finding an s’ satisfying property 1 is easy. Since 


a n- (6) =° 


holds, we can always use s’ = (c, oO). As described above, we are looking for a vector 
vE L} close to s’. Falcon does that using a variant of Babai’s algorithm [23]. Then, 
the difference s’ — v satisfies properties 1 and 2 and forms a valid signature (Algorithm 23). 

To increase security, only the second component of s = (51, so)! = (c — v1,—02) | is 
transmitted, which is already sufficient to verify the validity of s. Due to 


A-s=(1 n- (2) =sı +h- =c, 
2 


we can see that s4 just represents a shift by a small constant. 


Algorithm 23 Falcon Signature generation. 


Input: secret key sk = (f, g, F, G), message m € {0,1}* 
Sample r € {0,1}°7° 

Calculate c = H(r || m) 

Sete! = (c,0)! 

Find v € Ly with ||s’ — o|| < B 

Calculate (s1,s2)' = s’ — v = (c — 04, —02) 


FP WNP 


T 


Output: signature 7 = (r, s2) 


Analogously to the signature generation, for verification (Algorithm 24), the message 
m is hashed together with the provided r. Assuming s2 was correctly generated, the missing 
value s; can be calculated by 
sj =A. ( ) =c—s)-h 


and is declared valid if it is sufficiently small, i.e., || (s1,s2)'|| < B. 


Algorithm 24 Falcon Verification. 


Input: public key h, message m € {0,1}*, signature 7 = (r, s2) 
1. Calculate c = H(r || m) 
2. Calculates; = c — s2 - h 


Output: valid if ||(s1,s2)' || < B, else invalid 


The Falcon instances with their corresponding parameter choices are shown in Table 5. 


Table 5. Falcon parameter sets. 


n q 
Falcon-512 512 12,289 
Falcon-1024 1024 12,289 
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3. Code-Based Cryptography 
3.1. Linear Code Fundamentals 


Error-correcting codes are a standard approach to detect and correct communication 
errors that might happen due to noise during transmission. This technique can be applied 
to the construction of cryptographic systems where errors are intentionally inserted and 
can only be corrected by the intended receiver. 


3.1.1. Linear Codes 


Definition 3 (hamming weight, hamming distance). For a given vector x = (x1,...,Xn) € F}, 
we call 


n 
weight(x) = }_ x; 
i=l 


the hamming weight of x. Note that this simply counts the number of entries equal to 1. 
Given another vector y = (y1, .-., Yn) € F5, we call 


n 
dist(x,y) = } | xi — y; | 
i=1 
the hamming distance, which denotes the number of bits in which x and y differ. 


Definition 4 (inear code). Let C be a linear subspace of the vector space F} with dimension k. 
Furthermore, let 
d= min dist(c;,c; 
eae (ci,¢j) 
Ci FC; 
be the minimum distance of two distinct elements of C. 
C is called linear code or, equivalently, (n,k, d)-code. The elements of C are called codewords. 


Elements of an (n,k,d)-code C are binary vectors of length n. However, since C has 
dimension k, only k entries can be arbitrarily chosen, and this choice already defines the 
remaining n — k entries. This means we end up with vectors of length n containing only k 
bits of non-redundant information. Therefore, it is possible to represent C as the span of k 
linear independent codewords ¢1,...,c, € C, i.e., 


C={G- xe | eR) , 


where G € Pe with codewords c1,...,cx as columns. G is called generator matrix of C. 
We can transform G to its standard form (this definition deviates a little from standard 
literature; however, it is more useful in the context of Classic McEliece). G’ = (TT || k)', 
where I; is the k x k identity matrix and T € Re") ai 

Given a generator matrix G’ = (T! || Iy)! in standard form, there is a neat way 
to check whether a given word c € F} is a valid codeword, i.e., an element of C. Let 
H = (Inx || -T) € Rr xn and c € F} be a valid codeword, i.e., c = G- x for some 
xE F: Then, 
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(H-G’) 
t11 t12 tik 
t21 t22 tok 
1 0| =t t12 tk : 
0 1 0 t21 422 — to tn k,1 tn—k2 ty kk 
= z “x 
: 1 0 0 
0 0... 1 —th-k tn—k,2 —tn—k,k 0 1 0 
N lM 7 
(n=k)+k : 
0 0 1 
D Se 
k 
hasta h2—t12 oes tik — tye 
t21 — t21 t32 — t22 +e ton — tog 
= -x 
tn k1 ty k,1 ty k,2 T tn k2 es tn—kk = tn—kk 
=0 € F} 


equals the zero-vector in ine for any codeword c. Because of this property, H is called the 
parity check matrix. Indeed, the condition H - c = 0 holds if and only if c is a valid code- 
word. 

Therefore, a linear code C can equivalently be defined via its parity check matrix H 
since C is exactly the kernel of the map H, so C = {x € F} | H- x = 0}. This also motivates 
the following definition. 


Definition 5 (syndrome). Let C be a linear code with parity check matrix H and x € F} bea 
vector. We call 
H-xe Fik 


the syndrome of x. 


3.1.2. Binary Goppa Codes 


A traditional and well-studied family of linear codes are the so-called binary Goppa 
codes [24]. They were proposed for cryptography in 1978 due to their good security 
properties and fast decoding capabilities [25]. 


Definition 6 (binary Goppa code, support, Goppa polynomial). Let Fam be a finite field 
for some m € N and g(x) € Fpm[x] be an irreducible polynomial of degree t < 2. Let 
L = (1,02,...,&n) be a sequence of n distinct elements of F2m which are not roots of g(x). 
Then, we define a binary Goppa code T (g, L) by 


r(g,L)= {c € F} ae ‘cj =0 mod g(x)}. 


We call L support and g(x) Goppa polynomial. 


While we will not delve into the mathematical structure behind binary Goppa codes, 
it is important to highlight that a given Goppa code depends on its Goppa polynomial and 
its support. In order to derive the parity check matrix of a given Goppa code T (g, L), we 
define 


I(x, a;) := mod g(x) 


xX — Mj 
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1 0 

g1 1 
A=) &i-2 8-1 
81 8&2 


to be the inverse of x — a; reduced modulo g(x) fori € {1,...,n}. Note that the condition of 
&1,...,Xn not being roots of g ensures that the inverses ig = exist since, otherwise, 
x — a; would divide g. 

Since [;(x,;) is already reduced modulo g(x) and the addition of polynomials with 
the same degree cannot increase their degree, we can rewrite the defining condition of 
I'(g, L) in the following way: 


x-a”: 


n A 
L L(x, «i) "C = 0 


i=1 
Moreover, [;(x,«;) is a polynomial with a maximum degree of t — 1, i.e., [j(x,a;) = 
Yi Ti x(a) - xk-1. Again, we can rewrite the condition as: 
n by me 
Loci d ielai) x = 0. 
i=1 k=1 


From this equation, one can easily derive the parity check matrix H for T (g, L): 


ħali) bala) Jn, (oe) 
g- ala) ha(ai) < In2(ai eR 6) 
ielai) Belai) -o Ine(ai) 


The inverses in A can then be calculated using n executions of the extended euclidean 
algorithm (EEA). Applying EEA directly to any (x — «;) and g(x) = Yj_9 gi < x! would lead 
to a simpler version of H: 


0 ... 0 1 1 bas 1 1 0 cn 0 

0 0 ap a} a A i 

1 0 Go A o Nh | oy e Rix 
. . ` 1 

g3... 1 Cae aes a 0 0 glan) 


The details of the derivation can be found in [26]. 

In Classic McEliece, we will always consider a binary version of the parity check 
matrix H € eae. That means that all elements in Fon are converted to a column vector 
representing their binary form of length m. We call the resulting matrix 


He Fn 
the binary parity check matrix. 


Theorem 1. Let I'(g,L) bean (n,k,d) binary Goppa code, where g € Fam|x] has degree t. Then, 
we can lower-bound the dimension k by 


k>n—mt 


and the minimum distance d by 
d>2t+1. 


Since H is an mt x n matrix, the corresponding generator matrix G has dimension 
n x k with k > n — mt. The derivation of the lower bound for the minimum distance is not 
easy to see; that is why we refer to [27] for a detailed proof. 
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3.1.3. Computational Linear Code Problems 


Analogously to lattices, there exist various code-based calculation problems which are 
considered to be computationally hard and are therefore suitable for cryptographic algo- 
rithms. 

Given a linear (n,k,d)-code C C F with a random parity-check matrix H € Rr) a 
and q € F}, the task of finding the closest codeword c € C to 4q, i.e., the codeword c which 
minimizes dist (q, c), is computationally hard and is called a syndrome decoding problem. 

Due to its structured parity-check matrix, the hardness of the syndrome decoding 
problem cannot directly be applied to Goppa codes. However, research indicates that 
distinguishing a Goppa parity-check matrix from a parity-check matrix of a random code 
is difficult. The parity-check matrix H introduced in Equation (3) gives an intuition of 
that fact. Observe, that each entry is a polynomial inverse depending on a random Goppa 
support and a random Goppa polynomial. This Goppa code indistinguishability as- 
sumption is the basis for the Classic McEliece cryptosystem, which we will discuss in the 
following section. 


3.2. Classic McEliece 


Classic McEliece [28] is a CCA-secure key encapsulation mechanism based on a version 
of the Niederreiter encryption scheme. A message is represented as an error vector e whose 
syndrome, i.e., the parity check matrix (public key) applied on e, is used as encryption. 
Knowing the structure (secret key) of the underlying code, the receiver is able to restore the 
error vector e from the syndrome using a syndrome decoding algorithm [29]. 

The Classic McEliece scheme uses binary Goppa codes, which form linear (n, k, d)- 
codes. During key generation (Algorithm 25), Classic McEliece generates a random binary 
Goppa code T (g, L). As described above, the code I'(g, L) consists of a Goppa polynomial 
g(x) € Fom[x] with degree t for a suitable m and a support L. Then, the corresponding 
binary parity-check matrix H € F3'*" is computed and transformed to standard form. H 
is then published as public key while the Goppa parameters g and L are kept secret. Classic 
McEliece uses the fact that it is generally infeasible to reconstruct a Goppa code from a 
given parity-check matrix H. 


Algorithm 25 Classic McEliece PKE Key Generation: keyGen. 
Input: none 


1. Generate random Goppa Code I'(g, L) with 
e Goppa polynomial g(x) € Fym[x] of degree t 
e Uniform random sequence L = (a1,...,n) of n distinct elements of Fym 


2. | Compute corresponding binary parity-check matrix H € F,"*" 


Output: public key H, private key I (g, L). 


The idea of Classic McEliece encryption (Algorithm 26) is to send the syndrome 
H(c + e) of an erroneous codeword c € T (g, L) with error e € F}. We can observe that 
H(c + e) is independent of the concrete codeword c, because H(c +e) = Hc + He = He 
holds for all codewords. Therefore, we drop c and just calculate He. The value e serves 
as message, and we require it to have weight t, which is defined to be the largest value 
possible while also guaranteeing correct decryption. Therefore, the size of the message 
space is (7). Using the provided parity-check matrix H, the corresponding syndrome He is 
calculated and sent to the receiver. 


Algorithm 26 Classic McEliece PKE Encryption: enc. 


Input: public key H € F;*", message e € F} with weight t 


1. Compute C = He € Ra-k 
Output: ciphertext C 
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Knowing the structure of the Goppa code, i.e., the secret Goppa polynomial g and 
support (a1,...,n), the receiver is able to reconstruct e from the provided syndrome 
C = He. In order to do that, the given syndrome C € Fak is extended to the column vector 
C' = (C,0,...,0) € F4 by appending k zeros. We first observe that 


H(C’ +e) = H((He,0,...,0) +e) 
= H(He,0,...,0) + He 
= He + He 
=0 


Note that H(He,0,...,0) = He holds because H is in standard form, i.e., H = (I,_x || 
—T) for some matrix T. The equation above implies that c = C’ + e is a codeword in our 
Goppa code I'(g, L). Furthermore, we know there can only be one codeword in T (g, L) with 
distance < t to C’ since, due to Theorem 1, Goppa codewords have a minimum distance 
of 2t + 1 (see Figure 5). Since e has weight t, the codeword C’ + e is the unique codeword 
with distance < t to C’. 


. 
LY 


Figure 5. Black dots represent Goppa codewords. The interior of each black circle represents the set 


y 


of words which are mapped to its central black dot during error-correction. This figure shows the 
intuition behind Classic McEliece encryption: an error vector e is encrypted to a point C’ on a black 
circle around some Goppa codeword. The receiver is able to obtain the corresponding central black 
dot and thereby retrieve the error vector e. 


Having the secret Goppa parameters, the receiver is able to use a syndrome-decoding 
algorithm, e.g., Patterson’s Algorithm [30], to find the closest codeword to C’, obtaining 
c = C' +e. Then, simple addition yields e = C’ +c. These steps are summarized in 
Algorithm 27. 

Note that general syndrome decoding is difficult, as seen in Section 3.1. Therefore, 
a third party without knowledge of the secret Goppa parameters is not able to perform this 
decryption step. 


Algorithm 27 Classic McEliece PKE Decryption: dec. 


Input: ciphertext C € F!-*, Goppa code T (g, L) 

1. Extend C to C’ = (C,0,...,0) € F} by appending k zeros 

2. Find the unique codeword c € T (g, L) that is at distance < t from C’. If there is no 
such codeword, return L 

3. Sete=C'’+c 

4. If weight(e) A tor C Æ He, return L 


Output: message e 


Classic McEliece KEM key generation (Algorithm 28) samples an additional value 
o € F}. Despite that, the key generation is identical to the key generation of the PKE. 
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Algorithm 28 Classic McEliece KEM Key Generation. 
Input: none 


1. Generate random ¢ € F} 
2. Generate (H,T (g, L)) = PKE.keyGen() 


Output: public key H, secret key sk = (T (g, L), o) 


The family of cryptographic hash functions H; for i € {0,1,2} is used for both 
encapsulation and decapsulation. A random vector e € F5 of weight t is sampled and 
encrypted with a given parity-check matrix H. Additionally, e is hashed to e4. The shared 
secret K is computed by K = H1 (e, C, ey), i.e., a random-looking value depending on e and 
C (Algorithm 29). 


Algorithm 29 Classic McEliece KEM Encapsulation. 
Input: public key H 


1. Generate random vector e € F} of weight t 
2. Compute C = PKE.enc(e, H). 

3. Compute ey = H2(e) 

4. Compute K = H1 (e,C, ey) 


Output: encapsulation (C, ey), shared secret K 


The decapsulation (Algorithm 30) starts with the decryption of a given C, thereby 
calculating a message candidate e. Assuming a valid input, the original e is obtained. It is 
clear that by K = H1 (e, C, ey ) the same shared secret as in the encapsulation is computed. 

However, prior to that calculation, the decapsulation process has two means of verify- 
ing its input: If decryption fails, the hash value e}, will be based on the random-looking 7 
instead of e. This will ensure that the following comparison will not hold. The obtained 
message candidate e is verified by checking whether it is indeed a weight-t vector (this 
happens during PKE.dec). Then, the provided ey, is compared with the computed version 
e4,, thereby checking that the encapsulation was indeed performed based on e as well as 
the provided public key H and according to the rules of the algorithm. 


Algorithm 30 Classic McEliece KEM Decapsulation. 
Input: secret key sk = (T (g, L), o), encapsulation (C, ez) 
Calculate e = PKE.dec(C,T(g, L)) 

Ife = | calculate e}, = H2(c) 

Ife # | calculate e}, = H2(e) 

If e4, = ey set K = Hy (e,C, ex) 

. Fe #ey set K= Ho(o,C,ex) 

Output: shared secret K 


grie o oe a 


Encryption and decryption operations are competitively fast compared to lattice-based 
cryptography; however, the key sizes in Classic McEliece are quite large [31]. Given, for 
example, the largest parameter set (see Table 6), storing the compressed public key H 
requires k - (n — k) = 6528 - (8192 — 6528) = 10,862,592 bits ~ 1.3 MB. 

The Classic McEliece instances with their corresponding parameter choices are shown 
in Table 6. 
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Table 6. Classic McEliece parameter sets using an (n, k, d) Goppa code with error correction capabil- 


ity t. 
n k d t 
McEliece348864 3488 2720 129 64 
McEliece460896 4608 3360 193 96 
McEliece6688128 6688 5024 257 128 
McEliece6960119 6960 5413 239 119 
McEliece8192128 8192 6528 257 128 


4. Multivariate Cryptography 

Multivariate cryptography uses multivariate polynomials, i.e., polynomials in mul- 
tiple variables, for the construction of key pairs. Its security is based on the assumption 
that solving a set of multivariate quadratic polynomial equations over a finite field is 
computationally hard. 


4.1. Multivariate Polynomial Fundamentals 

4.1.1. Multivariate Polynomial Functions 

Definition 7 (multivariate quadratic polynomial function). Let F be a field. A function 
f: F" — Fis called multivariate function. Let p be a polynomial in the variables x1,...,Xpn € F. If 
f can be represented as p(x1,...,Xn), f is called multivariate polynomial function (for finite F, this 
is possible for any function). If f only contains terms of degree two or less, f is called multivariate 
quadratic polynomial function. 


To give an example, the function fı (x1, x2, x3) = x2X9 + 2x1x2 + 3x3 + 4 is a multivari- 
ate polynomial function (of degree 3), while the function f2 (x1, x2, x3) = x? +2x1xX2 + 3x3 + 
4 is a multivariate quadratic polynomial function. Let p1, . . . , Pk be multivariate quadratic 
polynomial functions. The vector 


Pk 
can be interpreted as a function P : F” — F* by component-wise application and is called 
polynomial map. 


4.1.2. MQ Problem 


Let F be a finite field. Let p1,..., pp : F” —> F be multivariate quadratic polynomial 
functions. Finding a solution s € F” to the system of equations 


is called an M Q (multivariate quadratic) problem [32]. This problem has been proven to 
be computationally hard. 


4.1.3. Multivariate Signature Schemes 

Multivariate public-key cryptosystems (MPKC) are constructions where polynomial 
maps are used to represent public and private keys. However, MPKC constructions are 
mainly used as digital signature schemes and are not suited for encryption purposes [33]. 
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Let F be a finite field. The main idea of generating a signature s € F” to a given 
message m € F* is to calculate one of possibly many pre-images of the image m under a 
polynomial map P. This is equivalent to finding a solution s to the system of equations 


pi(s) = m pi(s)—m, =0 


p(s) = mg pr(s)—m, =0 , 


where P = (p1,..., pk) and m = (m,...,m,). P is called a public map and represents the 
public key. We can design an MPKC scheme in a way that allows finding pre-images under 
a public map without directly solving the M Q problem. Usually, this mechanism involves 
some polynomial map F : F” > F* which we call the central map. We hide F by applying 
the following compositions involving the two affine maps S : F" — F” and T : Fk — FF. 
The resulting function 

P=ToF oS: F" 3 F* 


is the public key to the corresponding secret key (T, F, S). In general, the central map F 
requires efficient computation of pre-images. The affine maps S and J have to be invertible; 
therefore, they need to be of full rank. 

As mentioned above, a signature s for a given message m is a pre-image of m under P. 
With knowledge of the decomposition P = T o F o S, s can be computed by calculating 
the pre-image of T~!(m) under F and subsequent application of S71. To verify a signature 
s for a message m, we simply need to verify whether m = P (s) holds. Note that there could 
exist multiple valid signatures for a given message m. 

The key component of an MPKC is the design of the central map F. Without prior 
knowledge of the secret key (7, F, S), an attacker cannot distinguish the public map froma 
randomly generated polynomial map. The complexity of a direct attack is therefore reduced 
to the difficulty of the MQ problem. However, observe that the security assumption of 
this system is stronger than in the case of the MQ problem due to possible efficient 
attacks against the central map F. There exists an alternative approach for breaking an 
MPKC without trying to directly attack the public map. The idea is to find two alternative 
affine maps that suffice the same criteria of transforming the central map F into P. Thus, 
the cryptosystem can be broken by finding alternative private keys which correspond to the 
same public map. In this context, we need to define a new problem called the ZP problem 
(Isomorphism of Polynomials) [32]. 


4.1.4. IP Problem 
Let P, F be two polynomial maps from F” to F* with: 


P = (prs... Pr) 
F= (fiseer fi) 


Assuming two invertible affine transformations S : F” — F” and T : Fk — FF with 
P=TofoS 


exist, finding S and T is called an ZP problem, which is also computationally hard [34]. 
Solving the ZP problem could possibly break an MPKC by finding alternative secret affine 
functions to a given public map and an arbitrarily chosen central map. 


4.2. Rainbow 


The Rainbow signature scheme [35] is closely related to arguably the most common 
multivariate-based signature scheme, namely, Unbalanced Oil and Vinegar (UOV). In order 
to understand Rainbow, we first need to properly introduce UOV. 
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The basic idea of UOV consists of dividing the set of variables of the central map F 
into two disjoint subsets, which we refer to as oil and vinegar variables. The most important 
property is that the quadratic polynomials of F are not allowed to contain cross-terms 
between two oil variables. UOV has the general advantage of offering fast computations of 
both public and private keys, as well as a simple structure. A major disadvantage lies in 
the comparably large key sizes. 

The UOV scheme is an MPKC scheme, as described in Section 4.1 with the public map 


P=ToFoS:F" > F* 


and secret polynomial maps (T, F, S). It is characterized by the integer parameters o and 
v, specifying the number of oil and vinegar variables, respectively. These parameters define 
the structure of the central map F having k = o polynomial functions with n = o + v 
variables. The central map F : F” > F* contains k polynomial functions f4, .. ., fk. We 
restrict those to their homogeneous forms, i.e., omitting constant and linear terms. Then, 
each f, has the form: 


fr= Lapa t he D Byam, 


i=1 j=i i=1j=v+1 


where x1,...,Xy and Xy41,...Xn correspond to the vinegar variables and oil variables, 
respectively. A central map F is generated by randomly assigning values to the coefficients 
a, BY from F. 

The affine transformations S and 7 are also sampled by randomly assigning their 
coefficients, which is repeated if they turn out not to be invertible. The calculation of 
pre-images under F works as follows: 


e We randomly assign values to the vinegar variables x1,...,x, (highlighted in red), 
thus reducing the product between two vinegar variables to constants and the product 
of an oil and a vinegar variable to a linear term: 


U U U n 
f=LLapsgtE L By xx 
i=1 j=i i=1 j=v+1 
e This results in a linear system of k equations in n — v = k variables, namely, xXv41, . - - , Xn. 
By applying Gaussian elimination, we solve this system and thereby derive the re- 
maining oil values x41, . . -, Xn. In case the system does not have a solution, we repeat 
the previous step by sampling some other random values for the vinegar variables. 


As mentioned in Section 4.1, this MPKC construction is designed in a way that makes 
it hard to find pre-images under a given public map P; however, knowing the secret 
decomposition P = J o F o S enables an efficient computation of pre-images, i.e., signa- 
ture generation. 

Rainbow generalizes the UOV concept. The Rainbow signature scheme consists of two 
layers of Oil-Vinegar polynomials, where the second layer includes all variables from the 
first layer, i.e., the set of vinegar variables from layer two contains all variables of layer one. 

A concrete Rainbow instance is defined by an initializing number vı of vinegar vari- 
ables for layer one and the number of oil variables for layers one and two, i.e., 0; and 02, 
respectively. The total number of variables n and the number of equations k can be derived 
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through n = vı +01 + 02 and k = 01 + 02. The resulting structure of Rainbow’s central map 
F consists of the two layers: 


Layer 1: Xlr- -Xo Xo+: +) X04 +0} 
RA TS 
vinegar variables oil variables 
Layer 2: Xl; tt; Xvi» Xo, 41, ey Xvi +017 Xv, +0141, e., Xv +01 +02 
p 
vinegar variables oil variables 


This construction improves the ratio between the signature size and the message size 
from 2? in the UOV case to Tae in the two-layer Rainbow case due to vj < v, i.e., sig- 
natures are relatively smaller (in practice, this amounts to an about 26% reduction [36]). 
Due to the reduced number of coefficients needed in the first layer, this also results in a 
smaller private key. Recent attacks have shown this construction to be vulnerable resulting 
in a loss of these efficiency gains, see Section 4.2.1. 

To generate a concrete key pair (Algorithm 31), the following maps are sampled: 


e The secret central map F consisting of k = 0; + 02 polynomials f;,..., fg of the form 


D apayt Spay torre ta) 
i<jeVy i€ V1,jEO1 
f= 
Z of) xixj + L E forr E {01 +1,...,01 +02} 
i<jEV2 i€ V2, jEO2 


with layer one vinegar indices Vı = {1,...,v1}, layer one oil indices O1 = {v1 + 
1,...,v1 +01}, layer two vinegar indices V2 = V; U O} and layer two oil indices 
O2 = {o1 +1,...,01 +02}. 

The coefficients T 7 Br P ne ; {0 are randomly chosen from F. 

e Two secret randomly chosen invertible affine maps T : Ft > F and S : F” > F”. 
Their coefficients are randomly sampled from F which is repeated if the maps turn 
out not to be invertible. 

e The public key P = To FoS:F" + FF. 


Algorithm 31 Rainbow Key Generation. 


Input: none 

1. Sample S € F” > F” 
2. Sample F € F” — F* 
3. Sample T € Fk > F* 
4. Calculate P = T - F- S € F" — F* 
Output: public key P, secret key sk = (T, F, S) 


As described in Section 4.1, a valid signature s of a given message m € {0,1}* of 
arbitrary length is a pre-image of H(m) under P, i.e., the equation 


holds with a suitable cryptographic hash function H : {0,1}* — F*. Since S and T are 
efficiently invertible, finding pre-images under those maps is trivial. Finding pre-images 
under the central map F is similar to finding pre-images in a UOV scheme: 


e We randomly assign values to the vinegar variables of layer one, i.e., X1,...,Xy,: 
Layer 1: Xp eee Ky s togi essy X0y 4043 
N. m 


Ss“ — 
vinegar variables oil variables 
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We solve the resulting linear system of 0, equations to obtain concrete values for the 
01 oil variables of layer one; 

The resulting assignment of values for x1,...,Xv,+0, is substituted into the second 
layer: 


Layer 2: Xise.. 1Xo,7%Xo, 417 see, Xv +017 Xy -+0,+17 «e, Xu +01 +027 
ee ee na amama 
vinegar variables oil variables 


We solve the resulting linear system of 02 equations to obtain concrete values for the 
remaining oil variables of layer two; 

In case one of the linear systems has no solution, we start from the beginning by 
choosing other random values for the vinegar variables of the first layer. 


A valid signature of a message m under P can be computed by hashing and subse- 


quently finding pre-images under the secret maps 7, F and S (Algorithm 32). 


Algorithm 32 Rainbow Signature generation. 


Input: secret key sk = (7, F, S), message m € {0,1}* 


1. 
2, 
3. 
4. 


Calculate my = H(m) 

Calculate u = T~!(my) 

Find pre-image u~! of u under F 
Calculate s = S71 (u7!) 


Output: signature s 


Let m € {0,1}* be a message and s € F” a signature. The signature s is accepted if 


H(m) = P (s) holds; otherwise, it is rejected (Algorithm 33). 


Algorithm 33 Rainbow Verification. 


Input: public key P, message m € {0,1}*, signature s € F” 


1. 
2. 


Calculate m'y = P (s) 
Calculate my = H(m) 


Output: valid if m4 = my, else invalid 


The Rainbow instances with their corresponding parameter choices are shown in 


Table 7. 


Table 7. Rainbow round 3 parameter sets. 


F V1 01 02 
Level I GF(16) 36 32 32 
Level III GF(256) 68 32 48 
Level V GF(256) 96 36 64 


4.2.1. Rainbow Security Considerations 


A recent attack by Ward Beullens [37] in February 2022 has shown a considerable 


improvement in previously known attacks against Rainbow. The main enhancement arises 
from the combination of a previously developed rectangular MinRank attack [38] and 
an improved guessing technique. In order to resist this attack, the Rainbow parameters 
would be required to even exceed the length of the standard (and better-understood) UOV 
approach. This essentially renders the preferred usage of Rainbow over UOV questionable 
since the performance gain is rather small compared to the additional complexity of the 
scheme. 
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